Security checks #72
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security checks | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '0 8 * * 1' | |
| jobs: | |
| test-trivy: | |
| name: Analyze the Matchbox image with Trivy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@main | |
| # We will scan the Matchbox image used in the Dockerfile with Trivy. | |
| # The Trivy scan is also enabled in Matchbox repository, but only for the latest version. | |
| # If a new vulnerability is discovered in a previous release that is still used here, we will catch it. | |
| - name: Extract the image name from the Dockerfile | |
| run: echo "image_name=$(awk '/FROM ([a-zA-Z0-9\.\-/:]+)/ { print $2 }' Dockerfile)" >> "$GITHUB_ENV" | |
| - name: Run Trivy vulnerability scanner in image mode | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'image' | |
| image-ref: ${{ env.image_name }} | |
| ignore-unfixed: true | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| env: | |
| TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2 | |
| TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-db:1 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@main | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |